President Obama’s Fiscal Year 2017 budget proposal, which was unveiled in early February, called for $19 billion in government cybersecurity investments. Of that sum, $3.1 billion would be dedicated to overhauling outdated federal Information Technology (IT) systems. In a Wall Street Journal op-ed, the president compared government IT to an Atari game in an Xbox world. Of course, this analogy comes as a surprise to no one, as the government has sunk billions in taxpayer dollars into legacy networks, and many of its IT assets are so old and devalued that they are better suited for the Smithsonian than current network operations.
According to current government practices, IT equipment is managed in siloes, with individual IT administrators making decisions without a full view of their department or agency’s larger networks. This approach allows for neither a comprehensive picture of overall networks nor a comprehensive strategy for managing them. With the president calling for a $5 billion increase in federal cybersecurity spending over the $14 billion requested last year, the government needs to create a strategy for implementing modern network infrastructure. Furthermore, this strategy must recognize how big data analytics and visibility across the entire network infrastructure can enhance federal network security.
Allowing IT administrators to view and manage networks as a whole rather than in individual siloes would enable administrators to better manage the health of the overall network, and to mitigate cybersecurity situations in a timely fashion. The public sector offers an example of how the government could, assuming it takes the right approach, spot data breaches in minutes — as opposed to the current state of affairs, where the public learns months later that the data of millions of citizens has been stolen.
As in other areas, while the government is struggling to innovate and keep its technologies current, the private sector is setting the pace. Just as major companies have realized they need to retool their networks and focus on cloud-based virtual systems, the US government needs to embrace the idea of “cloud first” as it modernizes its legacy networks. Cloud-based system design grants users flexibility at the end points while still giving authority to skilled IT experts. The system does this by centralizing networks into a single cloud infrastructure — inflexible hardware is no longer a limiting factor.
Leading private-sector network operators, such as Amazon Web Services, AT&T, Google, and Verizon, have recognized the economic and security advantages of cloud-based networking and have implemented new approaches, such as Software-Defined Networking, to take advantage of the improved capabilities they provide. The US government should look to their example.
In order to make IT investments that will best prepare government networks for tomorrow’s data needs, our government must also think about the scalability, security, and adaptability of the technologies it chooses. In light of the ever-increasing amount of data the government handles and the rapid pace of technological change, these three considerations will be fundamental if government networks are to withstand attacks and safeguard the privacy of our information.
The US government should benefit from the success of the many US-based network technology companies. The president’s newly announced Commission on Enhancing National Cybersecurity, in coordination with the new Office of the Chief Information Security Officer, should seek a strategy that is educated by the experiences of America’s private sector — which set the global standard for running secure, large-scale networks.
The president has called for the strengthening of the government’s partnerships with the private sector. This means more than stepping away from legacy equipment; it means modernizing government IT with a more strategic evolutionary plan. Deploying a system that mirrors an enterprise-designed network allows for more efficient technology choices and more dynamism as the government confronts challenges in the coming years, including cybersecurity threats.
We need to incorporate the lessons of the companies who manage healthy and nimble operations while managing omnipresent risks. We ask CEOs and Boards of Directors to review the effectiveness of their cybersecurity programs. We should be able to ask the same of our government.